Iowa Hospital Uncovers Extensive 7-Year Privacy Breach

After seven years of illegally accessing the protected health information (PHI) of 1,620 patients, an employee at UnityPoint Health’s Allen Hospital in Waterloo, Iowa has been reported to the Department of Health and Human Services (HHS) for federal investigation.

Officials at the hospital say that the breach was first uncovered on March 14, 2016. The data that this employee inappropriately accessed over the course of her seven-year stint includes patients’ names, dates of birth, addresses, treatment information, health insurance identification information, and medical record numbers. Social Security numbers may have been viewed in some cases as well.

After the breach was initially discovered, Allen Hospital launched a full review of the employee’s access history, revealing that she had begun inappropriately accessing PHI as early as September of 2009. Allen’s vice president for institutional advancement, Jim Waterbury commented that the employee’s job entailed regularly accessing PHI, which accounts for the excessive length of time it took for officials to notice that the HIPAA breaches were occurring.

Hospital officials have escalated the issue to the HHS Office for Civil Rights (OCR) and have taken disciplinary action against the employee. They’ve also sent letters to affected individuals to notify them of the breach.

In a statement, Waterbury commented on the incident, saying: “We apologize to our affected patients, and we accept our responsibility to keep this event from happening again.” Luckily, officials at Allan have reported that they’ve found no evidence that would indicate that any of the patients’ data had been stolen or used illegally.

Regardless of the action that OCR pursues, HIPAA regulation makes it clear that excessive and inappropriate access to PHI outside the scope of regular treatment or billing is a breach of patients’ rights to privacy. Health care organizations that allow employees to access PHI must have policies and procedures in place to monitor their access to PHI.

Often, internal auditing and compliance-as-a-service programs can be implemented that give administrators and security or privacy officers the ability to monitor and document employee access to PHI. Allen Hospital has introduced just such a program now that the breach has been brought to a close as a means of mitigating future incidents and ensuring that their patients’ rights to privacy are being protected and upheld.